Stand-by Attacks on E-ID Password Authentication
Lucjan Hanzlik, Przemyslaw Kubiak, Miroslaw Kutylowski
Wroclaw University of Technology
We show that despite the cryptographic strength of the password authentication,
we cannot exclude an attack by a passive adversary that manipulates neither
the reader nor the microcontroller of the identity document, he only penetrates
the device at some moment in a hidden way. So even the most careful examination
and certification of the smart cards and the readers cannot prevent attacks of
this kind. We present concrete attack scenarios for PACE-GM, PACE-IM and SPEKE protocols.
We show that the weaknesses can be easily and effectively eluded via changing
a few implementation details on the side of a reader. Our second contribution is
that immunity against the attacks can be tested by the operator of the reader,
thus replacing costly and unreliable certification process of black box devices.
Keywords:
massive surveillance, temporary penetration attack, privacy, tracing,
wireless communication, personal identity card, password authentication,
PACE, SPEKE, verifiability, certification
INSCRYPT'2014